Another round of click-fraud extensions pulled from Chrome Store

More than 500,000 users stung

A security researcher has claimed that a cumulative half a million Chrome users have been hit by four malicious browser extensions pushing click and SEO fraud.

Icebrg's Justin Warner and Mario De Tore spotted the extensions while investigating a spike in outbound traffic from a workstation in a customer's network. The company claims the four extensions had more than 500,000 downloads in all.

Change HTTP Request Header didn't contain malicious code, the post stated. Rather, it downloaded “a JSON blob from ‘change-request[.]info’”, and that blob pushed a configuration update, after which obfuscated JavaScript was fetched from the control domain.

“Once injected, the malicious JavaScript establishes a WebSocket tunnel with ‘change-request[.]info’. The extension then utilises this WebSocket to proxy browsing traffic via the victim’s browser”, the post said, and that was how the click-fraud was launched.

A possible second use of the proxy would be to browse a company's internal network, for information that could be sent back to the control domain.

The three related extensions used similar techniques to inject unsafe JavaScript, Icebrg's analysts believe. The “Stickies” app went one step further, trying “to obfuscate its ability to retrieve external JavaScript for injection by modifying its included jQuery library”.